<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Authorization exceptions | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-trb-roles.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-trb-roles.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-trb-roles.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-trb-roles.html" rel="nofollow" target="_blank">../en/security-trb-roles.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="security-troubleshooting.html">Troubleshooting security</a></span>
»
<span class="breadcrumb-node">Authorization exceptions</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-trb-settings.html">« Some settings are not returned via the nodes settings API</a>
</span>
<span class="next">
<a href="security-trb-extraargs.html">Users command fails due to extra arguments »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-trb-roles"></a>Authorization exceptions<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/troubleshooting.asciidoc">edit</a>
</h2>
</div></div></div>
<p><span class="strong strong"><strong>Symptoms:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
I configured the appropriate roles and the users, but I still get an
authorization exception.
</li>
<li class="listitem">
I can authenticate to LDAP, but I still get an authorization exception.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Resolution:</strong></span></p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Verify that the role names associated with the users match the roles defined
in the <code class="literal">roles.yml</code> file. You can use the <code class="literal">elasticsearch-users</code> tool to list all
the users. Any unknown roles are marked with <code class="literal">*</code>.</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-users list
rdeniro        : admin
alpacino       : power_user
jacknich       : monitoring,unknown_role* <a id="CO504-1"></a><i class="conum" data-value="1"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO504-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p><code class="literal">unknown_role</code> was not found in <code class="literal">roles.yml</code></p>
</td>
</tr>
</table>
</div>
<p>For more information about this command, see the
<a href="users-command.html" class="ulink" target="_top"><code class="literal">elasticsearch-users</code> command</a>.</p>
</li>
<li class="listitem">
<p>If you are authenticating to LDAP, a number of configuration options can cause
this error.</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<tbody>
<tr>
<td align="left" valign="top"><p><em>group identification</em></p></td>
<td align="left" valign="top"><p>Groups are located by either an LDAP search or by the "memberOf" attribute on
the user.  Also, If subtree search is turned off, it will search only one
level deep. For all the options, see <a class="xref" href="security-settings.html#ref-ldap-settings" title="LDAP realm settings">LDAP realm settings</a>.
There are many options here and sticking to the defaults will not work for all
scenarios.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><em>group to role mapping</em></p></td>
<td align="left" valign="top"><p>Either the <code class="literal">role_mapping.yml</code> file or the location for this file could be
misconfigured. For more information, see <a href="security-files.html" class="ulink" target="_top">Security files</a>.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><em>role definition</em></p></td>
<td align="left" valign="top"><p>The role definition might be missing or invalid.</p></td>
</tr>
</tbody>
</table>
</div>
<p>To help track down these possibilities, add the following lines to the end of
the <code class="literal">log4j2.properties</code> configuration file in the <code class="literal">ES_PATH_CONF</code>:</p>
<div class="pre_wrapper lang-properties">
<pre class="programlisting prettyprint lang-properties">logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG</pre>
</div>
<p>A successful authentication should produce debug statements that list groups and
role mappings.</p>
</li>
</ol>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="security-trb-settings.html">« Some settings are not returned via the nodes settings API</a>
</span>
<span class="next">
<a href="security-trb-extraargs.html">Users command fails due to extra arguments »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>